Fri, 10 Apr 2026 04:00:02 +0000 https://bugs.horde.org/ticket/6891 HTML messages created with IMP and FCKEDIT have formatting stripped while viewing with IE6/7 If you receive an HTML formatted message created in IMP.. when you view it in IE6/7, IMP will strip some of the formatting in the name of protecting us from XSS... <h1><span XSSCleaned="color: rgb(255, 0, 0);"><strong> <span XSSCleaned="font-size: xx-large;"> <span XSSCleaned="font-family: Verdana;">Red<br /> </span></span></strong></span></h1> You can view the message properly using the same IMP installation and other browsers / platforms. The problem mostly seems to be with "spans" and "styles". I've also seen it strip formatting from Mail.app messages. Tue, 10 Jun 2008 19:16:08 +0000 https://bugs.horde.org/ticket/6891#t46210 What's the bug/action here though? IE allows javascript in inline styles (expression: ...), so we have to strip them. Tue, 10 Jun 2008 19:26:01 +0000 https://bugs.horde.org/ticket/6891#t46212 Ah. Is this documented someplace? (e.g. "When using IE, we strip some formating because IE allows JS to be embedded in style information...") Mostly, I think our help desk was expecting the same messages to be displayed the same across browsers.. and I was surprised that IMP + IE was filtering some stuff in the name of XSS protection, when it wasn't on other browsers. Tue, 10 Jun 2008 19:45:18 +0000 https://bugs.horde.org/ticket/6891#t46214 > Is this documented someplace? (e.g. "When using IE, we strip some > formating because IE allows JS to be embedded in style > information...") Probably not anywhere user-visible. Suggestions on where that might usefully go would be welcome. Thu, 12 Jun 2008 18:32:07 +0000 https://bugs.horde.org/ticket/6891#t46342 Not closing out the possibility of doc improvements, but we can either reopen this, or you can post them elsewhere. Mon, 30 Jun 2008 18:55:59 +0000 https://bugs.horde.org/ticket/6891#t47027